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17 SEP 1981 


MEMORANDUM POR: See Distribution 


STAT FROM: 
Director of Information Services, DDA 
SUBJECT: Evaluation of the Agency's Information Security 
Program by the Information Security Oversight 
Office 


1. For your information, attached is the latest evaluation of the 
Agency's information security program prepared by the Information Security 
Oversight Office. As you will note, the findings generally are favorable 
and the recommendations for improvement relatively minor. 


2. Please thank the participants for their cooperation during this 
inspection and commend them for a job well done. 


STAT 


Attachment: 
As stated 
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SUBJECT: Evaluation of the Agency's Information Security Program 
by the Information Security Oversight Office 


Distribution: 
Director, Intelligence Community Staff 
Director, National Foreign Assessment Center 
Chairman, National Intelligence Council 
Deputy Director for Operations 
Deputy Director for Science and Technology 
General Counsel 
Inspector General 
Comptroller 
Director, Equal Employment Opportunity 
Director of Personnel 

. Director of Policy and Planning 
Executive Secretary 
Director of Communications 
Director of Data Processing 
Director of Finance 
Director of Logistics 
Director of Medical Services 
Director of Security 
Director of Training and Education 
Chief, Classification Review Division 
Chief, Information and Privacy Division 
Chief, Regulations Control Division 
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‘SUL 28 1983 
Mr. Harry E. Fitzwater 
Deputy Director for Administration 
Central Intelligence Agency 
Washington, DC 20505 


Dear Mr. Fitzwater: 


Over a period of several months analysts of the Information Security Oversight Office 
(ISOO) have conducted inspections of several Directorates and offices in the Central 
Intelligence Agency (CIA). The inspections were conducted in accordance with the 
provisions of Section 5-2, Executive Order 12065. We believe that the enclosed report, 
documenting the findings of the SOO analysts, represents an accurate picture of those 
aspects of the programs evaluated and offers reasonable proposals for improvement. 


The review has shown that the CIA has an excellent information security program. | 
encourage the CIA to continue its support in implementing the provisions of the Order. 


| appreciate the cooperation and courtesy extended to [SOO analysts during the 
inspections. Be assured that ISOO will assist in any way possible to help your agency 
meet the goals of Executive Order 12065. 

Sincerely, 


STEVEN GARFINKEL 
Director 


ATTACHMENTS: 


|. Inspection Report 
2. Areas, Dates and Subjects of Inspection 
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ATTACHMENT NO. | 


INFORMATION SECURITY OVERSIGHT OFFICE 
INSPECTION OF THE CENTRAL INTELLIGENCE AGENCY 


GENERAL 


The Information Security Oversight Office (ISOO), established under Executive 
Order 12065, is responsible for monitoring Executive branch agencies and their 
actions to implement the provisions of the Order. Overall policy direction is 
provided to ISOO by the National Security Council. Sections 5-202 (a) and (h) of 
the Order authorize ISOO to conduct onsite reviews of the information security 
program of each agency that handles classified information. In compliance with 
the above provisions, Jane Payne and Harold Mason, [SOO analysts, conducted 
five reviews of various phases of the Central! Intelligence Agency's (CIA) 
information security program. Areas, dates and subjects of the inspection are 
provided on Attachment No. 2, ; 


FINDINGS 


A. Status of Implementation. Throughout the CIA, there is consistency in 
marking, safeguarding, classification and general compliance with the 
provisions of the Order and ISOO Implementing Directive No. |. This is 
attributable to (1) excellent training provided to all personnel; (2) the use 
of specialized classification guides and (3) other programs that prescribe 
the requirements for the protection of Intelligence activities, sources, - 
methods and other sensitive information. The inspections indicate that CIA 
personnel have an excellent understanding of the Order and comply with its 
provisions, 


I. Classification. 


a. Original Classification. Officials granted original classification 
authority are designated in writing and limited in number. 
Extensive use of classification guides limits the number of 
original classification decisions to a minimum. 


b. Identification and Markings. CIA's compliance with the portion 


marking provision of the Order is commendable. In many 
instances, documents reviewed contained subportion marking in 
addition to the portion marking. This is extremely beneficial to 
user agencies who incorporate or paraphrase information from 
CIA documents in subsequent reports. 


The manner in which CIA marks its documents, when utilizing a 
classification guide, is among the most complete and thorough of 
any agency the analysts have inspected. Instead of merely 
identifying the guide the classifier also identifies the section in 
which the subject matter is located; the person who derivatively 
classifies the document; the date for review or declassification; 
and the reason for extension, when extended. When more than 
one section of the guide is used, the classifier identifies the 


guides and sections after each paragraph and marks "multiple 
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source" in the "derived from" section of the stamped marking. 
This procedure enabled the ISOO analysts to conduct an audit 
trail in a minimum period of time. 


c. Derivative Classification. The CIA is one of the few agencies 
which identifies personnel authorized to classify derivatively . 
This is beneficial for administrative purposes. 


d. Classification Guides. Classification guides have been published 
for each of the four directorates and have been in use since 
1978. Recently, a consolidated guide has been prepared for the 
use of all four directorates. This consolidated guide is presently 
being coordinated within CIA prior to publication. 


2. Systematic Review for Declassification. 


The present CIA commitment to the systematic review for 
declassification (SRD) program involves approximately 40 personnel 
with a budget in excess of $1 million (not including buildings, 
computer equipment, etc.). It is anticipated that the program will 
Sect million (including a 5 percent inflation factor) if continued 
until 1988. 


Administrative support for Freedom of Information Act (FOIA), SRD 
and mandatory review is provided by the same organizational unit. 
Declassified records are not segregated after review in order to 
maintain the integrity of the original files. However, CIA notifies the 
Carrollton Press whenever they declassify material. The CIA has set 
aside a reading room for release of information to the media, public 
interest groups and other members of the public to review 
declassified material upon request. 


3. Safeguarding. 


The CIA is in compliance with the safeguarding procedures 
established under the Order. 


B. Document Review. 


STAT yo a DDS &[L___]| The 1SOO analysts reviewed reports in the Production 

i and Analysis Branch which were compiled through overt collection 

\ procedures. One of these reports (TRENDS) is occasionally marked 

ae with a security classification such as "Confidential-declassify in six 

months." Since this report is based upon information already in the 

} public domain (newspapers, radio broadcasts) the analysts challenged 

: its justification. The CIA explained that they were currently 
conducting a six-month study into the propriety of using a security 
classification on this type of report. ISOO requests that it be 
apprised of the results of this study. 


b. DCI/OLC. Several minor marking deficiencies were noted, mainly 


concerning memoranda for the record; some lacked portion markings 
and others bore no markings other than the level of classification. 
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c. DDO/DCD. The majority of documents reviewed were original 
classification decisions and contained no portion marking. The 
analysts were informed that the reports contained raw intelligence 
information making it impossible to determine the proper portion 
markings. 


CONCLUSIONS 


The Central Intelligence Agency appears dedicated in its desire to comply fully 
with the provisions of the Order. Officials interviewed were cognizant of the 
Order and implementing directive and sincere in their desire to implement a 
strong information security program. 


RECOMMENDATIONS 

i. After the study has been completed on the TRENDS report in DDS&T[___] 
and a determination made; provide [SOO with information on the decision. 
(Section IIB a) 


2. Provide additional guidance to DCI/OLC on the proper procedures for 
marking. (Section Il B b) 


3. Determine if documents generated in DDO can be portion marked. 
(Section Il B c) 
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ATTACHMENT No. 2 


AREAS, DATES AND SUBJECTS OF INSPECTION 


EE ee 


DATES 
FEB. 25, 1981 


March 18, 1981 


April 8, 1981 


May 14, 1981 


June 23, 1981 


AREA OF VISIT 
DDA/OIS 


DDS & T Registry 


NFAC/OER 
pps &L_] 
DDA/OIS 


DDA/ODP 
NFAC/OCO 


DCI/OLC 
DDA/OIS 


“{_] 


DDO/Geographical 
Area 


DDA/OIS 


SUBJECTS 


The Use of Computers to 
Enhance Security Briefing 


DDS & T's Computer Assisted 


Registry Briefing and 
Document Review 


Briefing and Document 
Review 


Briefing and Document, 
Review 


Systematic Review for 
Declassification Briefing 


Project Safe Briefing 


Briefing and Document 
Review 


Briefing and Document 
Review 


Briefing on Classification 
Guides 


Briefing and Document 
Review 


Document Review 


Review of Visits and Out 
Briefing 
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ROUTING AND RECORD SHEET 
SUBJECT: (Optional) Evaluation of the Agency's Information Security Program by the 
Information Security Oversight Office 
FROM: EXTENSION | NO. ~ 
Aeteaze Director of Information : 
Services DATE 7 
ne Agee mua Tata i a 17 SEP 1981 
TO: (Officer designation, room number, and DATE 
building) OFFICER'S COMMENTS (Number each comment to show from whom 
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